/ Zope / Apsis / Pound Mailing List / Archive / 2009 / 2009-10 / Extending Pound to implement HTTP Digest authentication

[ << ] [ >> ]

[ Re: [Pound Mailing List] ANNOUNCE: Pound - ... ] [ Pound on a DD-WRT router / Jean-Pierre van Melis ... ]

Extending Pound to implement HTTP Digest authentication
=?utf-8?q?I=C3=B1aki_Baz_Castillo?= <ibc(at)aliax.net>		 2009-10-20 13:34:44 [ FULL ] 
Hi, how possible would be to extend Pound proxy to implement HTTP Digest 
authentication by querying a MySQL/Postgress database or Radius server?

Perhaps what I ask is a bit complex but I just would like to know if it's 
feasible to add such a layer in top of the existing code. What I exactly 
need is shown in the following hypothetical config file. Note that I've added 
some non-existing features:


----------------------------------------
## Digest authentication based on MySQL table.
AuthDigestType                mysql
AuthDigestMysqlHost           localhost
AuthDigestMysqlDatabase       mydatabase
AuthDigestMysqlUser           me
AuthDigestMysqlPasswd         1234
AuthDigestMysqlTable          subscribers
AuthDigestMysqlUserColumn     username
AuthDigestMysqlDomainColumn   domain
AuthDigestMysqlPlainPasswd    no
AuthDigestMysqlHa1Column      ha1
# Don't ask authetication to request from these addresses.
AuthTrustedIps                90.90.76.0/24, 127.0.0.1/32


## A backend list to be used in varios "Service".
BackEndList
  Id  my-http-servers
  BackEnd
    Address     127.0.0.1
    Port        9001
  End
  BackEnd
    Address     127.0.0.1
    Port        9002
  End
End


ListenHTTPS

  Address      XX.XX.XX.XX
  Port         443
  Cert         "/etc/ssl/local.server.pem"
  HeadRemove   "X-Forwarded-For"

  ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
  xHTTP        1

End


### Users trying to fetch or modify their documents under "pres-rules/" or
### "resource-lists/" must authenticate.
Service

  # Just for these URLs and extracts the [user] and [domain] to use in 401.
  # Example 1:  https://mydomain.org/resource-lists/users/sip:alice(at)domain2.net/mydocument.xml
  #   => user   = alice
  #   => domain = domain2.net
  # Example 2:  https://mydomain.org/pres-rules/users/bob(at)domain3.com/presrules.xml
  #   => user   = bob
  #   => domain = domain3.com
  URL  "https://mydomain.org/(pres\-rules|resource\-lists)|/users/(sips?:)?:[[user]].+[[/user]](at)[[domain].+[[/domain]]/.*"

  # Just if method is GET, PUT or DELETE.
  Method GET PUT DELETE

  # Require digest authentication. 401 will contain "WWW-Authenticate" with
  # "username=user" and "realm=domain" (extracted from URL).
  AuthDigest user domain

  BackEndList
    my-http-servers
  End

End

### Any user can see icon of other users (so no auth is required):
Service

  URL  "https://mydomain.org/icon/users/.*"

  Method GET

  BackEndList
    my-http-servers
  End

End


### A user trying to modify his icon must authenticate:
Service

  URL  "https://mydomain.org/icon/users/(sips?:)?:[[user]].+[[/user]](at)[[domain].+[[/domain]]/.*"

  Method PUT, DELETE

  AuthDigest user domain

  BackEndList
    my-http-servers
  End

End
----------------------------------------



Of course I do know this is a very extended and complex feature. I just would
like to know if it's possible to code such a feature in top of the existing
code.


Thanks.


[...]
Re: [Pound Mailing List] Extending Pound to implement HTTP Digest authentication
Jacques Caron <jc(at)oxado.com>		 2009-10-20 13:56:53 [ FULL ] 
Hi,

What would be the point of doing this in pound rather than on the 
back-end http server? Also it would conflict with cases where the 
back-end does authentication itself, and of course there would be the 
problem of communicating auth info to the back_end (when you do it on 
Apache for instance you get the username in REMOTE_USER).

It might be more appropriate to do Proxy-authentication (i.e. 407 
instead of 401), but wouldn't that be more useful in a "forward" 
proxy configuration rather than in a reverse proxy/load balancer configuration?

Jacques.

At 12:34 20/10/2009, Iñaki Baz Castillo wrote:[...]
Re: [Pound Mailing List] Extending Pound to implement HTTP Digest authentication
Iñaki Baz Castillo <ibc(at)aliax.net>		 2009-10-20 14:19:09 [ FULL ] 
El Martes, 20 de Octubre de 2009, Jacques Caron escribió:[...]

This would be for a specific scenario (XCAP protocol in top of HTTP) so the 
http servers already know they must not ask for auth.

About the communication you are right, I forgot to mention that the proxy 
would add a header conatining the user(at)domain after a succesulful 
authentication.


[...]

Right, my fault.

[...]

The point here is that I must implement digest auth (based on DB or Radius) in 
my XCAP servers (still in development of course), so for me it's the same if I 
do it in the proxy itself and it would be faster (C code VS Ruby code).
Also Ruby lacks of a Radius library so perhaps it would be easier coding the 
radiuss-digest auth using the existing C library.

Not sure if a "forward" proxy would be better here. The fact is that I do need 
load balancing and failover as my config files shows.
The typical environment would be the following:

- A server (quad-core) in Internet with public IP.
- Pound listening in port 443 (HTTPS).
- 4 instances of my Ruby XCAP/HTTP server running in same server (listening in 
localhost).
- Pound does failover and load balancing between them.
- Clients connect to the public IP in which Pound binds from anywhere in the 
world.

I expect this must be a "reverse proxy configuration".


Thanks a lot.
[...]
MailBoxer